FCC Confirms Rules Regarding HIPAA and Patient Telephone Calls

The Federal Communication Commission has issued a Declaratory Ruling and Order to clarify the rules regarding HIPAA and patient telephone calls.

Some healthcare providers have had trouble understanding the rules regarding HIPAA and patient telephone calls, and how the rules comply with the Telephone Consumer Protection Act (TCPA). Now, 19 years and 24 years after the respective Acts were introduced, the Federal Communications Commission (FCC) has issued a Declaratory Ruling and Order to clear up any confusion.

The ruling clarifies the rules regarding HIPAA and patient telephone calls made by covered entities and their Business Associates. The ruling also exempts covered entities and Business Entities from certain TCPA legislation in certain circumstances.

Rules Regarding HIPAA and Patient Telephone Calls

The FCC´s order clarifying the rules regarding HIPAA and patient telephone calls states that, if a patient provides a contact telephone number to a healthcare provider, the provision of that telephone number constitutes express consent for telephone calls to be made, subject to certain HIPAA restrictions. Consent applies to calls and text messages related to:

The provision of medical treatment.

Health checkups.

Appointments and reminders.

Lab test results.

Pre-operative instructions.

Post discharge follow up calls.

Notifications about prescriptions.

Home healthcare instructions.

Hospital pre-registration instructions.

When a telephone call is made, healthcare providers must first provide their name and contact details. The FCC recommends that calls should be concise, and limited, in most cases, to 60 seconds. In the case of text messages, they should be restricted to 160 characters. The frequency of communications is also restricted. Patients should only ever receive a maximum of three calls per week, and only one text message per day is acceptable.

The content of all communications is still subject to certain HIPAA restrictions – for example the Minimum Necessary Rule. Calls can only be made for the purposes described above, and cannot include any telemarketing, advertising or solicitation. Some telephone calls and text messages exempted from TCPA Rules are still subject to certain restrictions:

Telephone calls and text messages must not be charged to the client, or counted against plan limits, and those calls can only be made to the wireless telephone number provided by the patient.

Patients may have given prior express consent to receive voice calls and text messages, but that consent can be rescinded. Patients should be reminded of that fact and given a means of opting out of future communications.

If a message be left on an answering machine, patients should be provided with a toll-free telephone number to contact their healthcare provider.

Calls are still subject to TCPA rules if made regarding Social Security disability eligibility, payment notifications, debt collections, accounting issues and other financial matters.

The FCC´s Declaratory Ruling and Order to clarify the rules regarding HIPAA and patient telephone calls also covers the provision of prior express consent by a third party, such as when a patient is incapacitated. If consent cannot be provided by a patient due to incapacity, the FCC will allow a third party to provide that consent, but only when the patient is incapable of doing so personally. Should a patient recover the ability to provide consent personally, the consent provided by the third party would no longer be valid and the healthcare provider would be required to obtain consent from the patient.

HIPAA Compliant Automated Calls to Patients

An area in which the ruling still leaves a little ambiguity is HIPAA compliant automated calls to patients. Although going into great depth about what constitutes an autodialing device, the FCC ruling does little to reconcile HIPAA compliance with the 2013 ban on telephone calls and text messages to mobile phones from an automatic dialing system.

Prior to the ban, consent could be inferred by an existing relationship between the sender and the recipient (the healthcare provider and the patient). From October 16 2013 onwards, the FCC requires prior written, unambiguous consent from the individual receiving calls on a mobile phone from an autodialing device.

Although an exemption was made for HIPAA compliant automated calls to patients´ landlines, healthcare providers should continue to avoid liability for breaches of ECPA by asking their patients for written consent to receive messages on the mobile phones that may have been generated by an autodialing device.

Ironically, automated appointment reminders send to mobile devices via a third-party texting service are allowed under the FCC ruling provided that the texting service provider signs a Business Associate Agreement (BAA). It is hoped that the situation regarding HIPAA compliant automated calls to patients will be clarified in the near future.

HIPAA Journal provides the most comprehensive coverage of HIPAA news anywhere online, in addition to independent advice about HIPAA compliance and the best practices to adopt to avoid data breaches, HIPAA violations and regulatory fines.

HIPAA

Compliance

Guide

About HIPAA Journal

HIPAA Journal provides the most comprehensive coverage of HIPAA news anywhere online, in addition to independent advice about HIPAA compliance and the best practices to adopt to avoid data breaches, HIPAA violations and regulatory fines. HIPAA Journal's goal is to assist HIPAA-covered entities achieve and maintain compliance with state and federal regulations governing the use, storage and disclosure of PHI and PII.